Re: [jose] [Cfrg] GCM nonce reuse question
Richard Barnes <rlb@ipv.sx> Mon, 15 April 2013 17:39 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 799F121F9641 for <jose@ietfa.amsl.com>; Mon, 15 Apr 2013 10:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.126
X-Spam-Level:
X-Spam-Status: No, score=-1.126 tagged_above=-999 required=5 tests=[AWL=1.851, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KYBigcqlidxD for <jose@ietfa.amsl.com>; Mon, 15 Apr 2013 10:39:04 -0700 (PDT)
Received: from mail-oa0-f50.google.com (mail-oa0-f50.google.com [209.85.219.50]) by ietfa.amsl.com (Postfix) with ESMTP id 8B24C21F9635 for <jose@ietf.org>; Mon, 15 Apr 2013 10:39:04 -0700 (PDT)
Received: by mail-oa0-f50.google.com with SMTP id n1so4665856oag.37 for <jose@ietf.org>; Mon, 15 Apr 2013 10:39:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=6xMlGhKVdhpotrFRk3uRrjKNddHS/gpb8oVoPXpCTqk=; b=IPB5XsEJU02ZX1myIIGPBwOcLr/lcwZMEgXKuRjMDoKAI4mV9L7S2muPn2aDyPweEz cLga5L4VqqhrlQWWOHIqn3dgURiVgP4HCazmGhqQ61QryVriW+yYuzBRLfj+OGQsTRye 0dXfRzmhFYJEUiqlie6c51rUbZg0+mfWHccV+N7POhfTLKmosC6mUpKM/KWsOO28Bp2I Q6EO+nxDWoSVinDHrLzn8VztTBmvICQymIFZJFBVxephObdCjw8jje3j6DttnH0rEDtu RHQGKHbrthwSNuA+RuycWV9oXRNWbUAGTGFPsEkkcsXTx06T6fT8CdNmN+6QeE4Jx1hh vCCA==
MIME-Version: 1.0
X-Received: by 10.60.62.39 with SMTP id v7mr2608509oer.5.1366047544040; Mon, 15 Apr 2013 10:39:04 -0700 (PDT)
Received: by 10.60.25.196 with HTTP; Mon, 15 Apr 2013 10:39:03 -0700 (PDT)
X-Originating-IP: [137.54.9.111]
In-Reply-To: <57A12B7F-30D2-4406-A66F-1FA0B03B4313@cisco.com>
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com> <4E1F6AAD24975D4BA5B1680429673943675A0978@TK5EX14MBXC283.redmond.corp.microsoft.com> <004e01ce2fb9$74979730$5dc6c590$@augustcellars.com> <4EC6AC2C-8EE6-4433-8302-E884DD0B3C06@ve7jtb.com> <734D4714-BEF1-4E0C-8DB4-6753083F0F11@bbn.com> <255B9BB34FB7D647A506DC292726F6E1150C74DDCF@WSMSG3153V.srv.dir.telstra.com> <CAL02cgQwz4136CTEoz-RBude+pwAxB1pUFBzh6y=pMtL4ZuVLw@mail.gmail.com> <57A12B7F-30D2-4406-A66F-1FA0B03B4313@cisco.com>
Date: Mon, 15 Apr 2013 13:39:03 -0400
Message-ID: <CAL02cgTY9ce-0GD6zAu4t=FfL0VC9NqUSQNZ_JBi3FSN01tm5w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Matt Miller <mamille2@cisco.com>
Content-Type: multipart/alternative; boundary="089e013a005a9bf1df04da69ba4e"
X-Gm-Message-State: ALoCoQkIzZt+Ke3siJbbYEJR5wbxIi7ySKKCS+G3X5RioiYI77mPTft213lkk2QAp0xm1SYzZVjw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] [Cfrg] GCM nonce reuse question
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 17:39:05 -0000
On Mon, Apr 15, 2013 at 11:50 AM, Matt Miller <mamille2@cisco.com> wrote: > > On Apr 15, 2013, at 9:25 AM, Richard Barnes <rlb@ipv.sx> > wrote: > > > On Sun, Apr 14, 2013 at 9:55 PM, Manger, James H < > > James.H.Manger@team.telstra.com> wrote: > > > >> I think there are more options for handling multiple recipients of > >> AEAD-secured content: > >> > >> > >> Option 3: Put all per-recipient info into one header; keep this header > >> under the AEAD integrity check; have one nonce. > >> COST: All recipients need to be known (and their key exchange info > >> created) before the AEAD algorithm is applied. > >> COST: The JWE JSON header structure needs to be adjusted (eg to have an > >> array of recipient info) so it is not backward compatible with current > >> drafts. > >> COST: Doesn't help use cases where one recipient forwards an > >> AEAD-secured message on to a new recipient (eg an XMPP system receives a > >> message secured for a user and re-secures it for a specific device of > that > >> user). Changing recipients requires reapplying the AEAD operations. > >> COST: Each recipient needs to see key exchange info of all recipients > >> (privacy impact?). > >> POSSIBLE-BENEFIT: Recipients, key exchanges, parameters, and content is > >> secured as a complete unit. > >> > >> > >> Option 2b: Remove per-recipient info from AEAD integrity check; but add > >> AEAD details to each key exchange. For instance, info about an AEAD > >> operation (alg id, key id etc) potentially even including the whole > >> ciphertext is used as the "label" for the RSAES-OAEP-ENCRYPT operation > that > >> encrypts the AEAD secret key for a recipient. > >> BENEFIT: The key exchange is tied to a specific AEAD operation. > >> COST: Crypto is not typically done like this; uncertain as to what > exact > >> security properties you are getting. Perhaps there are some > similarities to > >> NIST Concat KDF that adds "context" to key derivation: this adds > "context" > >> about an AEAD operation to the key exchange. > >> > >> > >> I agree with Richard Barnes that the per-recipient key exchange details > >> should be outside the AEAD operation (not covered by the AEAD integrity > >> check). Go with option 2 or 2b. > >> Then, separately, we can decide which details of the AEAD operation > should > >> be bound to each key exchange: none? AEAD key length? AEAD alg id? whole > >> AEAD header? AEAD ciphertext? other context? > >> > >> > >> -- > >> James Manger > >> > >> > > > > At the same time, this attribute should be optional, since I think there > > are use cases where the CMK is not entirely ephemeral. For example, I > > think the current XMPP e2e document uses it as a session key rather than > an > > individual message key, so you wouldn't want to limit the key to a single > > JWE. > > > > XMPP e2e has both a session key and a per-message key. The per-message key > is protected by the session key. > > That said, I also think Option 2 or 2b makes the most sense. > > > - m&m > > Matt Miller < mamille2@cisco.com > > Cisco Systems, Inc. > Thanks for the clarification. I think the point stands, however, that the "JWE-digest" attribute can be added as a protected attribute to the wrapped key -- if we do wrapped keys right! --Richard
- [jose] FW: GCM nonce reuse question Jim Schaad
- Re: [jose] FW: GCM nonce reuse question Mike Jones
- Re: [jose] FW: GCM nonce reuse question Mike Jones
- Re: [jose] FW: GCM nonce reuse question Richard Barnes
- Re: [jose] FW: GCM nonce reuse question Vijay Bharadwaj
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [jose] [Cfrg] GCM nonce reuse question Manger, James H
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [jose] [Cfrg] GCM nonce reuse question Matt Miller
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes